/*
* Copyright (C) 2010-2014 Free Software Foundation, Inc.
* Copyright (C) 2013-2014 Nikos Mavrogiannopoulos
*
* Author: Nikos Mavrogiannopoulos
*
* This file is part of GnuTLS.
*
* GnuTLS is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* GnuTLS is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see
* <https://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <gnutls/openpgp.h>
#include <gnutls/pkcs12.h>
#include <gnutls/pkcs11.h>
#include <gnutls/abstract.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <time.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
/* Gnulib portability files. */
#include <read-file.h>
#include "p11tool-args.h"
#include "p11tool.h"
#include "certtool-common.h"
static void cmd_parser(int argc, char **argv);
static FILE *outfile;
static const char *outfile_name = NULL;
int batch = 0;
int ask_pass = 0;
void app_exit(int val)
{
if (val != 0) {
if (outfile_name)
(void)remove(outfile_name);
}
exit(val);
}
static void tls_log_func(int level, const char *str)
{
fprintf(stderr, "|<%d>| %s", level, str);
}
int main(int argc, char **argv)
{
cmd_parser(argc, argv);
return 0;
}
static
unsigned opt_to_flags(common_info_st *cinfo, unsigned *key_usage)
{
unsigned flags = 0;
*key_usage = 0;
if (HAVE_OPT(MARK_PRIVATE)) {
if (ENABLED_OPT(MARK_PRIVATE)) {
flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE;
} else {
flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE;
}
} else { /* if not given mark as private the private objects, and public the public ones */
if (cinfo->privkey)
flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE;
else if (cinfo->pubkey || cinfo->cert)
flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE;
/* else set the defaults of the token */
}
if (HAVE_OPT(MARK_DISTRUSTED)) {
flags |=
GNUTLS_PKCS11_OBJ_FLAG_MARK_DISTRUSTED;
} else {
if (ENABLED_OPT(MARK_TRUSTED))
flags |=
GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED;
}
if (ENABLED_OPT(MARK_SIGN))
*key_usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
if (ENABLED_OPT(MARK_DECRYPT))
*key_usage |= GNUTLS_KEY_DECIPHER_ONLY;
if (ENABLED_OPT(MARK_CA))
flags |=
GNUTLS_PKCS11_OBJ_FLAG_MARK_CA;
if (ENABLED_OPT(MARK_WRAP))
flags |= GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP;
if (ENABLED_OPT(LOGIN))
flags |= GNUTLS_PKCS11_OBJ_FLAG_LOGIN;
if (ENABLED_OPT(SO_LOGIN))
flags |= GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO;
return flags;
}
static void cmd_parser(int argc, char **argv)
{
int ret, debug = 0;
common_info_st cinfo;
unsigned int pkcs11_type = -1, key_type = GNUTLS_PK_UNKNOWN;
const char *url = NULL;
unsigned int detailed_url = 0, optct;
unsigned int bits = 0;
const char *label = NULL, *sec_param = NULL, *id = NULL;
unsigned flags;
unsigned key_usage;
optct = optionProcess(&p11toolOptions, argc, argv);
argc += optct;
argv += optct;
if (url == NULL && argc > 0)
url = argv[0];
else
url = "pkcs11:";
if (HAVE_OPT(DEBUG))
debug = OPT_VALUE_DEBUG;
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(debug);
if (debug > 1)
printf("Setting log level to %d\n", debug);
if ((ret = gnutls_global_init()) < 0) {
fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret));
app_exit(1);
}
if (HAVE_OPT(PROVIDER)) {
const char *params = NULL;
if (HAVE_OPT(PROVIDER_OPTS))
params = OPT_ARG(PROVIDER_OPTS);
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret < 0)
fprintf(stderr, "pkcs11_init: %s\n",
gnutls_strerror(ret));
else {
ret =
gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER),
params);
if (ret < 0) {
fprintf(stderr, "pkcs11_add_provider: %s\n",
gnutls_strerror(ret));
app_exit(1);
}
}
} else {
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
if (ret < 0)
fprintf(stderr, "pkcs11_init: %s\n",
gnutls_strerror(ret));
}
if (HAVE_OPT(OUTFILE)) {
outfile = safe_open_rw(OPT_ARG(OUTFILE), 0);
if (outfile == NULL) {
fprintf(stderr, "cannot open %s\n", OPT_ARG(OUTFILE));
app_exit(1);
}
outfile_name = OPT_ARG(OUTFILE);
} else
outfile = stdout;
memset(&cinfo, 0, sizeof(cinfo));
if (HAVE_OPT(HASH)) {
cinfo.hash = hash_to_id(OPT_ARG(HASH));
if (cinfo.hash == GNUTLS_DIG_UNKNOWN) {
fprintf(stderr, "invalid hash: %s\n", OPT_ARG(HASH));
app_exit(1);
}
}
if (HAVE_OPT(SIGN_PARAMS))
sign_params_to_flags(&cinfo, OPT_ARG(SIGN_PARAMS));
if (HAVE_OPT(SECRET_KEY))
cinfo.secret_key = OPT_ARG(SECRET_KEY);
if (HAVE_OPT(LOAD_PRIVKEY))
cinfo.privkey = OPT_ARG(LOAD_PRIVKEY);
if (HAVE_OPT(PKCS8))
cinfo.pkcs8 = 1;
if (HAVE_OPT(BATCH)) {
batch = cinfo.batch = 1;
}
if (HAVE_OPT(ONLY_URLS)) {
cinfo.only_urls = 1;
}
if (ENABLED_OPT(INDER) || ENABLED_OPT(INRAW))
cinfo.incert_format = GNUTLS_X509_FMT_DER;
else
cinfo.incert_format = GNUTLS_X509_FMT_PEM;
if (HAVE_OPT(OUTDER) || HAVE_OPT(OUTRAW))
cinfo.outcert_format = GNUTLS_X509_FMT_DER;
else
cinfo.outcert_format = GNUTLS_X509_FMT_PEM;
if (HAVE_OPT(SET_PIN))
cinfo.pin = OPT_ARG(SET_PIN);
if (HAVE_OPT(SET_SO_PIN))
cinfo.so_pin = OPT_ARG(SET_SO_PIN);
if (HAVE_OPT(LOAD_CERTIFICATE))
cinfo.cert = OPT_ARG(LOAD_CERTIFICATE);
if (HAVE_OPT(LOAD_PUBKEY))
cinfo.pubkey = OPT_ARG(LOAD_PUBKEY);
if (ENABLED_OPT(DETAILED_URL))
detailed_url = 1;
if (HAVE_OPT(LABEL)) {
label = OPT_ARG(LABEL);
}
if (HAVE_OPT(ID)) {
id = OPT_ARG(ID);
}
if (HAVE_OPT(BITS)) {
bits = OPT_VALUE_BITS;
}
if (HAVE_OPT(CURVE)) {
gnutls_ecc_curve_t curve = str_to_curve(OPT_ARG(CURVE));
bits = GNUTLS_CURVE_TO_BITS(curve);
}
if (HAVE_OPT(SEC_PARAM)) {
sec_param = OPT_ARG(SEC_PARAM);
}
flags = opt_to_flags(&cinfo, &key_usage);
cinfo.key_usage = key_usage;
/* handle actions
*/
if (HAVE_OPT(LIST_TOKENS)) {
pkcs11_token_list(outfile, detailed_url, &cinfo, 0);
} else if (HAVE_OPT(LIST_TOKEN_URLS)) {
pkcs11_token_list(outfile, detailed_url, &cinfo, 1);
} else if (HAVE_OPT(LIST_MECHANISMS)) {
pkcs11_mechanism_list(outfile, url, flags, &cinfo);
} else if (HAVE_OPT(GENERATE_RANDOM)) {
pkcs11_get_random(outfile, url, OPT_VALUE_GENERATE_RANDOM,
&cinfo);
} else if (HAVE_OPT(INFO)) {
pkcs11_type = PKCS11_TYPE_INFO;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_ALL)) {
pkcs11_type = PKCS11_TYPE_ALL;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_ALL_CERTS)) {
pkcs11_type = PKCS11_TYPE_CRT_ALL;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_CERTS)) {
pkcs11_type = PKCS11_TYPE_PK;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_ALL_PRIVKEYS)) {
pkcs11_type = PKCS11_TYPE_PRIVKEY;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(LIST_ALL_TRUSTED)) {
pkcs11_type = PKCS11_TYPE_TRUSTED;
pkcs11_list(outfile, url, pkcs11_type,
flags, detailed_url, &cinfo);
} else if (HAVE_OPT(EXPORT)) {
pkcs11_export(outfile, url, flags, &cinfo);
} else if (HAVE_OPT(EXPORT_STAPLED)) {
pkcs11_export(outfile, url, flags|GNUTLS_PKCS11_OBJ_FLAG_OVERWRITE_TRUSTMOD_EXT, &cinfo);
} else if (HAVE_OPT(EXPORT_CHAIN)) {
pkcs11_export_chain(outfile, url, flags, &cinfo);
} else if (HAVE_OPT(WRITE)) {
pkcs11_write(outfile, url, label, id,
flags, &cinfo);
} else if (HAVE_OPT(TEST_SIGN)) {
pkcs11_test_sign(outfile, url, flags, &cinfo);
} else if (HAVE_OPT(INITIALIZE)) {
pkcs11_init(outfile, url, label, &cinfo);
} else if (HAVE_OPT(INITIALIZE_PIN)) {
pkcs11_set_token_pin(outfile, url, &cinfo, 0);
} else if (HAVE_OPT(INITIALIZE_SO_PIN)) {
pkcs11_set_token_pin(outfile, url, &cinfo, 1);
} else if (HAVE_OPT(DELETE)) {
pkcs11_delete(outfile, url, flags, &cinfo);
} else if (HAVE_OPT(GENERATE_PRIVKEY)) {
key_type = figure_key_type(OPT_ARG(GENERATE_PRIVKEY));
if (key_type == GNUTLS_PK_UNKNOWN)
app_exit(1);
pkcs11_generate(outfile, url, key_type,
get_bits(key_type, bits, sec_param, 0),
label, id, detailed_url,
flags, &cinfo);
} else if (HAVE_OPT(GENERATE_ECC)) {
key_type = GNUTLS_PK_EC;
pkcs11_generate(outfile, url, key_type,
get_bits(key_type, bits, sec_param, 0),
label, id, detailed_url,
flags, &cinfo);
} else if (HAVE_OPT(GENERATE_RSA)) {
key_type = GNUTLS_PK_RSA;
pkcs11_generate(outfile, url, key_type,
get_bits(key_type, bits, sec_param, 0),
label, id, detailed_url,
flags, &cinfo);
} else if (HAVE_OPT(GENERATE_DSA)) {
key_type = GNUTLS_PK_DSA;
pkcs11_generate(outfile, url, key_type,
get_bits(key_type, bits, sec_param, 0),
label, id, detailed_url,
flags, &cinfo);
} else if (HAVE_OPT(EXPORT_PUBKEY)) {
pkcs11_export_pubkey(outfile, url, detailed_url, flags, &cinfo);
} else if (HAVE_OPT(SET_ID)) {
pkcs11_set_id(outfile, url, detailed_url, flags, &cinfo, OPT_ARG(SET_ID));
} else if (HAVE_OPT(SET_LABEL)) {
pkcs11_set_label(outfile, url, detailed_url, flags, &cinfo, OPT_ARG(SET_LABEL));
} else {
USAGE(1);
}
fclose(outfile);
#ifdef ENABLE_PKCS11
gnutls_pkcs11_deinit();
#endif
gnutls_global_deinit();
}